bloomberg.com web signal

Criminal hackers embed AI to scale and hide attacks

cybersecurity generative ai cybersecurity ai-security

Key insights

  • Named criminal clusters are using AI across full attack chains, including ransomware delivery and identity-based intrusions, not just exploit development.
  • Google GTIG's AI-built zero-day was the first confirmed public case of a broader trend already operational across multiple criminal groups.
  • AI-assisted concealment is compressing attacker dwell times in ways that overwhelm signature-based detection tools relying on known behavioral patterns.

Why this matters

Security vendors whose products depend on signature-matching face a structural efficacy gap as AI-assisted evasion becomes a standard capability across criminal groups, not an edge case. The Bloomberg report's naming of specific clusters using AI in ransomware chains compresses the timeline for enterprise security teams to justify budget shifts toward behavioral and AI-augmented detection, since the threat is confirmed operational rather than theoretical. Founders building in the detection and response space now have a named, documented forcing function to accelerate enterprise procurement conversations that have stalled on ROI justification.

Summary

Criminal hacker groups are embedding AI across full attack cycles, not just for building exploits but for amplifying intrusion volume, accelerating lateral movement, and concealing post-compromise activity from detection tooling. Bloomberg's May 13 cybersecurity newsletter goes beyond the Google GTIG zero-day disclosure from two days prior, naming specific clusters using AI inside ransomware delivery chains and identity-based intrusion campaigns. The GTIG case, the first publicly confirmed AI-built zero-day, turns out to be a visible data point in an already-operational trend. Essentially: (Google GTIG, Bloomberg-named criminal clusters) the threat is active and distributed, not experimental. - AI-assisted concealment is compressing attacker dwell times past the threshold where signature-based defenses can generate reliable alerts. - Ransomware delivery and identity-based intrusions are the two documented vectors where AI integration is confirmed. - Attack volume amplification means security teams face simultaneous scale and evasion pressure, not one or the other. The practical defense posture for enterprises has moved from blocking known exploit signatures to detecting AI-assisted behavior designed to look like legitimate activity.

Potential risks and opportunities

Risks

  • Enterprise SOC teams running signature-based detection stacks (Splunk, IBM QRadar) face undetected breach exposure as AI-assisted dwell-time compression renders behavioral baselines calibrated before 2025 operationally unreliable
  • Cyber insurers (Coalition, At-Bay, Resilience) writing ransomware policies without AI-evasion clauses face claims exposure as intrusions outpace policy language that was last updated against pre-AI ransomware TTPs
  • Identity providers (Okta, Microsoft Entra) whose anomaly detection relies on static behavioral baselines face documented bypass risk as AI-powered identity intrusions learn to mimic legitimate user session patterns at scale

Opportunities

  • AI-native behavioral detection vendors (Darktrace, Vectra AI, CrowdStrike Falcon) gain direct sales acceleration as Bloomberg-level coverage validates urgency for moving budget away from signature-based tooling
  • Security operations platform vendors (Palo Alto Cortex XSIAM, SentinelOne) can use this reporting to fast-track AI-assisted SOC analyst tools into enterprise procurement cycles currently stalled on ROI justification
  • Cyber insurers with AI-evasion-specific underwriting models gain pricing leverage over legacy carriers still using pre-2025 ransomware risk frameworks, creating a repricing window in the next two quarters

What we don't know yet

  • Which specific criminal clusters Bloomberg named and whether any carry confirmed links to nation-state infrastructure or known APT groups
  • Whether the AI tooling these groups are using is built on commercial LLMs, fine-tuned open-source models, or purpose-built criminal infrastructure, which would significantly affect defensive countermeasures
  • Whether Google GTIG has published patch timelines or indicators of compromise tied to the specific zero-day disclosed May 11, and how it connects to the broader clusters Bloomberg identifies

Originally reported by bloomberg.com

Read the original article →

Original headline: Bloomberg: Hackers Are Already Using AI to Beef Up Their Attacks and Hide Their Activity Beyond Known Zero-Days